Il 01/07/20 20:21, tincanteksup ha scritto:
The post you made on the forum suggests that you have set a default
gateway on the TAP adapter ..
Do not do that.
Well yes, it's an attempt I made because I saw everyone in that thread
telling that this fixed the issue. But it didn't for me (and I did not
expect it, actually), so I rolled back to the original configuration.
We do not have your client config or logs so this is just a guess but
do not use --block-outside-dns (if you are).
At this point, this is most probably the reason: the block-outside-dns
option is in use. Even if I remove it from the client config, it's
pushed from the server.
But why should this make NLA fail? DNS resolution using the VPN DNS
server appears to work fine for every address, including the one which
Microsoft uses for the connection check. But the failure is systematic
instead.
Indeed, I just discovered there is a NCSI log in the Event Viewer and
when NLA fails I see in there an ActiveHttpProbeFailed event, followed
by a SuspectDnsProbeFailed event.
Sorry for not posting logs and config but I did not want to overwhelm
the list, the terminal output was already long enough.
Here is the config:
dev tun
persist-tun
persist-key
cipher AES-128-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA1
tls-client
client
resolv-retry infinite
remote x.x.x.x 443 tcp-client
setenv opt block-outside-dns
verify-x509-name "xxxx OpenVPN" name
auth-user-pass
pkcs12 xxxx.p12
tls-auth xxxx.key 1
remote-cert-tls server
passtos
And the connection log:
Wed Jul 01 20:41:47 2020 OpenVPN 2.4.9 x86_64-w64-mingw32 [SSL
(OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 16 2020
Wed Jul 01 20:41:47 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Jul 01 20:41:47 2020 library versions: OpenSSL 1.1.1f 31 Mar
2020, LZO 2.10
Wed Jul 01 20:41:50 2020 TCP/UDP: Preserving recently used remote
address: [AF_INET]x.x.x.x:443
Wed Jul 01 20:41:50 2020 Attempting to establish TCP connection with
[AF_INET]x.x.x.x:443 [nonblock]
Wed Jul 01 20:41:51 2020 TCP connection established with
[AF_INET]x.x.x.x:443
Wed Jul 01 20:41:51 2020 TCP_CLIENT link local: (not bound)
Wed Jul 01 20:41:51 2020 TCP_CLIENT link remote: [AF_INET]x.x.x.x:443
Wed Jul 01 20:41:51 2020 WARNING: this configuration may cache
passwords in memory -- use the auth-nocache option to prevent this
Wed Jul 01 20:41:51 2020 [xxxx OpenVPN] Peer Connection Initiated with
[AF_INET]x.x.x.x:443
Wed Jul 01 20:41:52 2020 open_tun
Wed Jul 01 20:41:52 2020 TAP-WIN32 device [OpenVPN] opened:
\\.\Global\{9872CE0F-C4BA-42E5-8CB3-18E05AE0C387}.tap
Wed Jul 01 20:41:52 2020 Set TAP-Windows TUN subnet mode
network/local/netmask = 172.28.254.0/172.28.254.241/255.255.255.0
[SUCCEEDED]
Wed Jul 01 20:41:52 2020 Notified TAP-Windows driver to set a DHCP
IP/netmask of 172.28.254.241/255.255.255.0 on interface
{9872CE0F-C4BA-42E5-8CB3-18E05AE0C387} [DHCP-serv: 172.28.254.254,
lease-time: 31536000]
Wed Jul 01 20:41:52 2020 Successful ARP Flush on interface [20]
{9872CE0F-C4BA-42E5-8CB3-18E05AE0C387}
Wed Jul 01 20:41:52 2020 Blocking outside dns using service succeeded.
Wed Jul 01 20:41:57 2020 ROUTE: route addition failed using service:
L'oggetto esiste già. [status=5010 if_index=20]
Wed Jul 01 20:41:57 2020 ROUTE: route addition failed using service:
L'oggetto esiste già. [status=5010 if_index=20]
Wed Jul 01 20:41:57 2020 Initialization Sequence Completed
Wed Jul 01 20:41:57 2020 Register_dns request sent to the service
Thanks.
Marco
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
